[miniconda] Patch Python due to GHSA-5cpq-8wj7-hf2v (#634)

* [miniconda] Patch Python due to GHSA-5cpq-8wj7-hf2v - Update Dockerfile to install the latest versions of pyopenssl and cryptography; - Added tests to verify minimum version for pyopenssl and cryptography packages; - Added tests to verify minimum package version via `conda list` command. * Fix text * Rework fix * test: Replace command * test: Enable `pip_interop_enabled` for conda * Rework patch * Fix dockerfile * Test: Restore patch for `requests` package * Update test.sh * Update Dockerfile * Revert patch for `requests` package due to issues with `conda-install` test
devcontainers · Jul 26, 2023 · 4913fb2 · 4913fb2
1 parent 99acaad
commit 4913fb2
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/src/miniconda/.devcontainer/Dockerfile b/src/miniconda/.devcontainer/Dockerfile
@@ -41,9 +41,10 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi
 
 # Temporary: Upgrade python packages due to mentioned CVEs
 # They are installed by the base image (continuumio/miniconda3) which does not have the patch.
-RUN python3 -m pip install --upgrade \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
-    requests
+RUN conda install \ 
+    # https://github.com/pyca/cryptography/security/advisories/GHSA-5cpq-8wj7-hf2v
+    pyopenssl=23.2.0 \ 
+    cryptography=41.0.2
 
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \

diff --git a/src/miniconda/test-project/test-utils.sh b/src/miniconda/test-project/test-utils.sh
@@ -172,3 +172,11 @@ checkPythonPackageVersion()
     current_version=$(python -c "import ${PACKAGE}; print(${PACKAGE}.__version__)")
     check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
 }
+
+checkCondaPackageVersion()
+{
+    PACKAGE=$1
+    REQUIRED_VERSION=$2
+    current_version=$(conda list "${PACKAGE}" | grep -w "${PACKAGE}" | awk '{print $2}')
+    check-version-ge "conda-${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
+}
diff --git a/src/miniconda/test-project/test.sh b/src/miniconda/test-project/test.sh
@@ -18,14 +18,18 @@ check "gitconfig-contains-name" sh -c "cat /etc/gitconfig | grep 'name = devcont
 
 check "usr-local-etc-config-does-not-exist" test ! -f "/usr/local/etc/gitconfig"
 
-checkPythonPackageVersion "cryptography" "38.0.3"
+checkPythonPackageVersion "cryptography" "41.0.0"
 checkPythonPackageVersion "setuptools" "65.5.1"
 checkPythonPackageVersion "wheel" "0.38.1"
-checkPythonPackageVersion "requests" "2.31.0"
+
+checkCondaPackageVersion "cryptography" "41.0.0"
+checkCondaPackageVersion "pyopenssl" "23.2.0"
+checkCondaPackageVersion "setuptools" "65.5.1"
+checkCondaPackageVersion "wheel" "0.38.1"
 
 check "conda-update-conda" bash -c "conda update -y conda"
-check "conda-install" bash -c "conda install -c conda-forge --yes tensorflow"
-check "conda-install" bash -c "conda install -c conda-forge --yes pytorch"
+check "conda-install-tensorflow" bash -c "conda install -c conda-forge --yes tensorflow"
+check "conda-install-pytorch" bash -c "conda install -c conda-forge --yes pytorch"
 
 # Report result
 reportResults